Open Bug 1578220 Opened 2 years ago Updated 2 months ago

Add a toggle to enable/disable all debugger statements


(DevTools :: Debugger, enhancement, P3)



(Not tracked)


(Reporter: nbp, Unassigned)



(Keywords: dev-doc-needed)

Today some JavaScript Obfuscator are using the debugger; keyword to prevent reverse engineering the code, or editing value with a debugger. Unfortunately these mitigations cause performance issues which appear only in Firefox.

By offering a toggle to enable/disable debugger statements, and communicating about it, we will not fix this performance issue, but suggest to developers of these tools that this kind of mitigation is now useless. Thus, hopefully reducing the number of these from appearing on the Web.

The performance problem comes from the way the the debugger statement is used.
It is used in a newly created function, called by a function which is calling it-self recursively, and executed in a try-catch. The performance problem then appears from the fact that Firefox seems to have a bigger JavaScript stack than Chrome[1] in this specific case, thus crashing later rather than sooner. (see Bug 1475013)

[1] In the debugger console:

var i = 0;
function f() { i++; f() }

On my system:
Firefox: i == 45706
Chromium: i == 15728

Priority: P5 → --
See Also: → 1562700, 1578350, 1537609
No longer blocks: firebug-gaps, dbg-control, dbg-70
No longer depends on: 925269

I believe that the "disable all debugger statements" button already exists. There is a button in the top right of the debugger that disables breakpoints, debugger statements and other types of pausing.

That doesn't address the goal of this bug though, which would be to allow people to debug normally, while basically skipping the part where debugger; statements cause a pause, thus removing the encouragement for projects to use them as an obfuscation mechanism.

hmm, i see. so breakpoints should still work, but debugger statements should be disabled...

could we address this by making it easy to disable specific debugger statements?

The hard part is evalled code, since that will create a brand new snippet with a new debugger that isn't disabled. Disabled-by-default seems to be the only way.

Could JS engine provide a config pref to solve this edge use case – disabling debugger statements? We probably need more time to evaluate our approach on how to expose this in DevTools.

Flags: needinfo?(nicolas.b.pierron)

I think this is doable, but Jim is likely to know better than me.

Flags: needinfo?(nicolas.b.pierron) → needinfo?(jimb)

Can't we just do this in the server, today, by not setting an onDebuggerStatement handler in the first place?

Flags: needinfo?(jimb)
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.